Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
CISA, through the NRMC, is committed to working with government and industry partners to ensure that supply chain risk management (SCRM) is an integrated component of security and resilience planning for the Nation’s infrastructure.
ICT SCRM Overview
The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. From cell phone devices to information-sharing software, government and industry purchase these products and services and use them to power and enable critical infrastructure systems. However, a supply chain is only as strong as its weakest link.
Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain. Compounding the complexity of securing the supply chain is that vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.
CISA, through the NRMC, is committed to working with government and industry partners to enhance the security and resilience of the global ICT supply chain and to ensure that SCRM is an integrated component of the Agency’s cybersecurity efforts.
ICT SCRM Task Force
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security.
Composed of representatives from 20 federal agencies and 40 industry members from across the Information Technology and Communications Sectors, the Task Force acts as a center of gravity for supply chain risk management partnership activity. The Task Force recently published an Interim Report on its activities to date which highlight output from past and current working groups. These working groups include efforts to:
- Better understand challenges surrounding the bi-directional sharing of SCRM information;
- Identify processes and criteria for threat-based evaluation of ICT supplies, products, and services;
- Identify market segment(s) and evaluation criteria for Qualified Bidder and Manufacturer List(s)
- Produce policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers; and
- Develop a supply chain attestation template for vendors.
Learn more about the ICT SCRM Task Force.
ICT SCRM Program Basics for Your Company
Companies and organizations that incorporate SCRM practices into their protocols and security plans may improve their overall ability to respond to and mitigate the consequences of SCRM vulnerabilities.
Elements of a comprehensive ICT program that companies/organizations should consider include:
- Identifying the people: A team of representatives from various roles/functions of the company (cybersecurity and physical security, inventory management, procurement and acquisition, or product development) who can ensure personnel at all levels are well-trained in the security policies and procedures for their role/function.
- Establishing the structure: The policies and procedures, based on industry standards and best practices (such as those from the National Institute of Standards and Technology (NIST)) on how to conduct effective SCRM and maintain compliance (e.g., annual employee training and exercises, demonstrations on the correct operation of equipment).
- Defining the components: Comprehensive lists of the ICT hardware, software, and services your company procures and from whom. Companies should also know on which internal systems critical information relies, and which systems have remote access capability to prevent unauthorized access.
- By assigning criticality (e.g., “high”, “medium”, and “low” ratings), your company can prioritize implementing measures to protect those systems and components that are essential to your operations.
- Knowing the supply chain: Maintain records and lists of your company’s suppliers, the suppliers’ sources, and what level of access your employees and third-party vendors have to your company’s systems. For example, maintenance records of critical systems, records of employees’ trainings, and lists of vendors and customers.
- Assessing the third-parties: An active, documented “know your supplier” plan that includes pre-established qualification criteria for screening suppliers. Examples of criteria may include:
- Verification and/or evaluation of the supplier’s on-site security;
- Verification that supplier’s addresses are valid business locations;
- An online search of the supplier’s background;
- List of suppliers’ third party-vendors and manufacturers, and
- Confirmation of business-to-business payment terms and methods (e.g., not allowing cash sales).
- Monitoring your SCRM program: Determine the frequency at which to audit suppliers against the practices and protocols that your company established throughout this process.
Executive Order 13873
On May 19, 2019, the President issued Executive Order on Securing the Information and Communications Technology and Services Supply Chaim (EO 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
The EO sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.
CISA was directed, within 80 days of the EO release, “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
In response, CISA and the ICT Task Force worked with industry and government partners to develop a standardized taxonomy of ICT elements; perform criticality assessments on these ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communication.
SCRM Resources and News
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force Threat Scenarios Report
- Overview of Risks Introduced by 5G Adoption in the United States
- Fifth Generation (5G) Infographic
- Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
- Press Release – CISA’s ICT SCRM Task Force Launched Work Streams
- Press Release – DHS and Private Sector Partners Establish ICT SCRM Task Force
- Press Release - DHS Announces ICT SCRM Task Force Members
For questions or comments, email email@example.com.